tripleo

default etcd deployments share the same cluster token

Bug #1673266 reported by Emilien Macchi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Critical
Emilien Macchi
tripleo pike-1 "pike-1"

Bug Description

This is really bad for security to provide default tokens, default passwords etc.

When deploying Etcd service in TripleO, the default cluster token will be "etcd-tripleo".
If someone deploys Etcd with default values, anyone can deploy an etcd instance and reach the cluster with this token and get the key/values from there.

We should generate this token everytime a deployment is done, like we already do for passwords etc.

Emilien Macchi (emilienm)
Changed in tripleo:
importance: Undecided → Critical
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-common (master)

Fix proposed to branch: master
Review: https://review.openstack.org/446194

Changed in tripleo:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.openstack.org/446195

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-common (master)

Reviewed: https://review.openstack.org/446194
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=09be30d196691319dde9e70bdd7a35ff90a6e984
Submitter: Jenkins
Branch: master

commit 09be30d196691319dde9e70bdd7a35ff90a6e984
Author: Emilien Macchi <email address hidden>
Date: Wed Mar 15 17:53:44 2017 -0400

    Generate EtcdInitialClusterToken

    Add EtcdInitialClusterToken to constants so
    the etcd token will be generated during the deployment.

    Change-Id: I6e30cce469736e84a3c483fafa29d542b8347ba9
    Partial-Bug: #1673266

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/446195
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=55d17ca118d27f16b57424774265f5b3db7b7b52
Submitter: Jenkins
Branch: master

commit 55d17ca118d27f16b57424774265f5b3db7b7b52
Author: Emilien Macchi <email address hidden>
Date: Wed Mar 15 17:56:30 2017 -0400

    etcd: secure EtcdInitialClusterToken parameter

    Secure EtcdInitialClusterToken parameter by:

    * removing the default value.
    * make it hidden.

    Change-Id: I938af697f9faaadb9c9aeb950e9410db24b1b961
    Depends-On: I6e30cce469736e84a3c483fafa29d542b8347ba9
    Closes-Bug: #1673266

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-common (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/446516

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/446517

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-common (stable/ocata)

Reviewed: https://review.openstack.org/446516
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=cb4168b22fd73460881d892ee726af5ac83576ed
Submitter: Jenkins
Branch: stable/ocata

commit cb4168b22fd73460881d892ee726af5ac83576ed
Author: Emilien Macchi <email address hidden>
Date: Wed Mar 15 17:53:44 2017 -0400

    Generate EtcdInitialClusterToken

    Add EtcdInitialClusterToken to constants so
    the etcd token will be generated during the deployment.

    Change-Id: I6e30cce469736e84a3c483fafa29d542b8347ba9
    Partial-Bug: #1673266
    (cherry picked from commit 09be30d196691319dde9e70bdd7a35ff90a6e984)

tags: added: in-stable-ocata
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/ocata)

Reviewed: https://review.openstack.org/446517
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=8f728b395328ae1231ef026a8f6c1c06a0b880a9
Submitter: Jenkins
Branch: stable/ocata

commit 8f728b395328ae1231ef026a8f6c1c06a0b880a9
Author: Emilien Macchi <email address hidden>
Date: Wed Mar 15 17:56:30 2017 -0400

    etcd: secure EtcdInitialClusterToken parameter

    Secure EtcdInitialClusterToken parameter by:

    * removing the default value.
    * make it hidden.

    Change-Id: I938af697f9faaadb9c9aeb950e9410db24b1b961
    Depends-On: I6e30cce469736e84a3c483fafa29d542b8347ba9
    Closes-Bug: #1673266
    (cherry picked from commit 55d17ca118d27f16b57424774265f5b3db7b7b52)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 7.0.0.0b1

This issue was fixed in the openstack/tripleo-heat-templates 7.0.0.0b1 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 6.1.0

This issue was fixed in the openstack/tripleo-heat-templates 6.1.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.